| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 122699 | 2012-01-08 00:07:00 | Hijacked wordpress site | Chilling_Silence (9) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1252856 | 2012-01-13 19:40:00 | So, if I understand this correctly, once WP has created the .htaccess file, does it need to modify it at various times? Why cant you chmod it to 664 or totally read only and stop it being modified? | Iantech (16386) | ||
| 1252857 | 2012-01-14 00:35:00 | Chill knows more about this than me, but I'll tell you how work rules. You can have Wordpress on Webdrive but they don't recommend it as the permissions are different. You'd have to 777 stuff to allow the PHP writing due to some stuff about the environment I don't get yet.. Which is being changed apparently.... So they encourage Openhost instead. Permissions are generally 755 by default, lots of stuff there is locked down, customers can't alter safemode, himem, can't unzip and so on, We have to do it for them. It doesn't make Wordpress totally secure, it still can get hacked - theres the Tim Thumb vulnerability at present e're telling customers to fix. But it's more secure there, so long as it's kept up to dat, all these mods and things are updated too. There are certain ones that won't work on our servers, due to whats locked down on them there. Tough luck, you use something else or go elsewhere. |
pctek (84) | ||
| 1252858 | 2012-01-14 06:30:00 | mmmm not quite that simple, and they're mis-guided with webdrive vs openhost, or are mis-guiding you at least. You never have to set permissions to 777, that's global read, write & execute. | Chilling_Silence (9) | ||
| 1252859 | 2012-01-14 19:45:00 | I know what 777 is. As I said, don't understand it all yet. They do recommend OH over WD for it though. I forget the issue with WD, I'll ask again Monday. | pctek (84) | ||
| 1252860 | 2012-01-14 19:57:00 | The problem there is that www-data (the user that apache is running as) has read and write access to it all, so someone exploiting a "feature" of your WP can then alter ANY of the config files in your webroot. So YES change the owner to root (or at least not www-data) and I would change the permissions on config.php to remove write access from 'group' & 'world". You WILL need to have some area's writeable but I don't know what they are for WP. Maybe safer to just replace the WP site with something written from scratch (mind you the jalbum albums are fine, it's just that a website for a first page looks a lot better than "Index of Photosite"), then at least owner & group can be what I chose, which retains the security, which was the reason I started the project. As per what Chill said, change your_vhost_label.conf to point '/' at the actual WP dir instead of /var/www/ edit: And yes Webmin is pretty cool, until you discover how shitty it is ... :) Point taken, thanks, about Chill's advice. When I get to the stage where I find out about webmin; what do you think could be a better way to go? Kev, who ran me through the tutorial always intimates that we could find the "command line" better. |
jcr1 (893) | ||
| 1252861 | 2012-01-14 20:09:00 | Yeah but the thing is visitors don't magically have write access to the server, the only time you *would* is if the software you're running is flawed enough (As this bug apparently in WP is) to allow the user to do-so. You don't need to mess with mod_rewrite for what you want, if you've only got one website then it'll be the 'default' that apache serves up if you have vhosts turned on no doubt (vhosts allows you to host different sites from the one PC, for example it knows if your gues wants to go to pressf1.co.nz vs pcworld.co.nz (They're not on the same server but I forget the other site that's on this PF1 server). This means that all you need is some description of dynamic DNS to point it to your home IP Address. Usually your router will support the likes of dyndns.org or no-ip.com so check in your router coz it'll be easiest to get your router to update a dynamic DNS service if it supports it :) Router supports dyndns, I use it. Just had a think about it; it probably won't work as I've allocated "users", their own websites, so if I configure the router to go to the simpler URL, the other users would be shut out? Just a bit of an update, I had a few of my *own* on a share-hosting server. Forgot that I had a wordpress install in one of the subfolders somewhere on a testing domain. Long story short reinfected the whole bloody lot of about 7 sites I host from that one share hosting. Was not a happy chappy, but I seem to have cleaned it all up now. Only have about two left of other peoples to clean up now :D All the best with this one Chill:D |
jcr1 (893) | ||
| 1252862 | 2012-01-15 08:09:00 | Can you explain what you've given the users already? If I understand you correctly, everything should work OK still... |
Chilling_Silence (9) | ||
| 1252863 | 2012-01-15 08:50:00 | I figured that if my DynDNS was set to say joeblog.dyndns.org and the wordpress site's URL is joeblog.dyndns.org/gallery/wordpress and I want to shorten that to joeblog.dyndns.org/photos, then when I set DynDNS, in router to joeblog.dyndns.org/photos. Then wouldn't that cancel out; joeblog.dyndns.org/gallery/ joeblog.dyndns.org/photosite/ joeblog.dyndns.org/favourite son/ joeblog.dyndns.org/silly old fool/ etc.? Anyway Chill, this is just academic, but I'd still like to know:lol: |
jcr1 (893) | ||
| 1252864 | 2012-01-15 09:32:00 | DNS (dynamic or otherwise) only maps the domain name (joeblog.dyndns.org) to your IP address. You could change the vhost.conf to set the / (what gets served when you go to joeblog.dyndns.org/) to but, yes that would break the others. What you could do (if you are paying for the DNS) is set A records for gallery.joeblog.dyndns.org & wordpress.joeblog.dyndns.org etc. all pointing to the same IP, and have separate vhosts pointing to the appropriate directory. Yet another option might be simply to use a symlink to shorten the path thusly: ln -s /var/www/gallery/wordpress /var/www/wordpress |
fred_fish (15241) | ||
| 1252865 | 2012-01-16 00:26:00 | Chill - it's because they haven't got su php on WD yet, only on OH. Being changed but a bit of a major due to the numbers on WD, and they have to be down or moved before the servers cna be chnaged. |
pctek (84) | ||
| 1 2 3 4 5 6 | |||||